0

I'm running Solaris 10 in a production environment and I have an integration with a third party webservice using ssl for which they have provided the certificates. It was working fine until a couple of weeks back when they updated their certificates and network and provided us with new certificates. I added these certificates to the Java trust store cacerts and jssecerts but the application was always failing on handshake, so I decided to debug it using Open SSL.

When I tried with OpenSSL I keep getting the error 'Verify return code: 20 (unable to get local issuer certificate)'. I searched on internet and found couple of solutions like copying certificates to a directory and provide it with a CApath option or merge all the certificates into one file or just provide the root certficate with CAfile.

I even experimented with different paths by copying certificates in them like etc/certs, etc/ssl/certs, etc/sfw/openssl/certs and I pretty much experimented with all certificate tyes from .cert to. pfx to .p7b but I always gets the same error.

An example is shared below:

/usr/sfw/bin/openssl s_client -CApath /etc/sfw/openssl/certs -connect example.hostipaddress:443 -debug
CONNECTED(00000004)
--    Long List of string removed to conserver space --
02ef - <SPACES/NULS>
depth=1 /DC=local/DC=mgc/CN=MBTC-ENTCA1
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
 0 s:/C=PH/ST=Metro Manila/L=Makati City/O=Metropolitan Bank and Trust Company/OU=CID-ITSAD/CN=IOSG-XRSWEB
   i:/DC=local/DC=mgc/CN=MBTC-ENTCA1
 1 s:/DC=local/DC=mgc/CN=MBTC-ENTCA1
   i:/DC=local/DC=mgc/CN=MGCROOTCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGmjCCBYKgAwIBAgITXgAAByoWADJYm5tc5AAEAAAHKjANBgkqhkiG9w0BAQsF
ADBCMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNtZ2Mx
FDASBgNVBAMTC01CVEMtRU5UQ0ExMB4XDTE2MDEyMzE2MTg0M1oXDTE4MDEyMjE2
MTg0M1owgZIxCzAJBgNVBAYTAlBIMRUwEwYDVQQIEwxNZXRybyBNYW5pbGExFDAS
BgNVBAcTC01ha2F0aSBDaXR5MSwwKgYDVQQKEyNNZXRyb3BvbGl0YW4gQmFuayBh
bmQgVHJ1c3QgQ29tcGFueTESMBAGA1UECxMJQ0lELUlUU0FEMRQwEgYDVQQDEwtJ
T1NHLVhSU1dFQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3QYlQu
01dc/h1CekLCfzwx2LfDHZJgb/A6DwbMLlIN8mA/EH03DV6SAP/n+McBZ9Kg97a2
zWsV3Thq9TxHx2GIrU0l3Jp0CyIC2uAWK5SzcBaLkOCks4zA/uwqNpYdVZ/wX6Yh
iCN8OnEfKdlUCfyIT6T1P5bIWgRSH+FooYfqV4+YJyAUjF2cticoemQcOPWYNBki
wgO938Lnyr7YfaQM2z8n4GjqPBuSJmtISb6LW0tzmBPRA5hBi0NpWN1IPjyTU8h8
soWnu6LtfGZq/fmDQ2fvlvj2wbi4U2B6E9QhjnEDOI5vWo7f0Lxq+DXABORU+Eef
Rk5pyoWxLfTfgq0CAwEAAaOCAzYwggMyMAsGA1UdDwQEAwIHgDBEBgkqhkiG9w0B
CQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcw
CgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFCAm6czc
-----END CERTIFICATE-----
subject=/C=PH/ST=Metro Manila/L=Makati City/O=Metropolitan Bank and  Trust Company/OU=CID-ITSAD/CN=IOSG-XRSWEB
issuer=/DC=local/DC=mgc/CN=MBTC-ENTCA1
---
No client certificate CA names sent
---
SSL handshake has read 3570 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 79070000B3B0F581DDC6F732F5BAD3F384CAE1D67ADBA4AF551393A6A208C897
    Session-ID-ctx: 
    Master-Key: D04EFCA3E85CCB6E1F80F2B74C6CF24248B693F5CDABB0355F.....
    Key-Arg   : None
    Start Time: 1457082099
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Please suggest me how to resolve or troubleshoot this issue.

jww
  • 97,681
  • 90
  • 411
  • 885
Dashing Boy
  • 477
  • 2
  • 10
  • 21
  • Is the webservice actually using client certs? You tagged your question as such, but don't mention the type of certificates you received. – f_puras Mar 04 '16 at 09:46
  • Yes, it does. One is Rootcertificate named: MGCROOTCA.cer, and two others in .er format – Dashing Boy Mar 04 '16 at 10:42
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Mar 05 '16 at 05:23

2 Answers2

0

If the connection requires a client certificate, you will need to tell OpenSSL using the -cert param, and -key if you got a separate private key (file). -CApath is used for server certificates only.

f_puras
  • 2,521
  • 4
  • 33
  • 38
  • Result: root@orsapi2 # /usr/sfw/bin/openssl s_client -connect iosg-xrsweb:443 -cert /etc/ssl/MGCROOTCA.cer unable to get certificate from '/etc/ssl/MGCROOTCA.cer' 5842:error:02001002:system library:fopen:No such file or directory:/on10/build-nd/G10U11B0B/usr/src/common/openssl/crypto/bio/bss_file.c:294:fopen('/etc/ssl/MGCROOTCA.cer','r') 5842:error:20074002:BIO routines:FILE_CTRL:system lib:/on10/build-nd/G10U11B0B/usr/src/common/openssl/crypto/bio/bss_file.c:296: 5842:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:../../../../common/openssl/ssl/ssl_rsa.c:515: – Dashing Boy Mar 04 '16 at 12:40
  • I imagine `MGCROOTCA.cer` is the server root certificate and not the client cert, right? And you should make sure all certs involved are in PEM format (text, starting with a line `-----BEGIN CERTIFICATE-----`). – f_puras Mar 04 '16 at 12:50
0

You are missing the Issuer CA with a Common Name of MGCROOTCA:

/usr/sfw/bin/openssl s_client -CApath /etc/sfw/openssl/certs -connect example.hostipaddress:443 -debug
CONNECTED(00000004)
...
depth=1 /DC=local/DC=mgc/CN=MBTC-ENTCA1
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
 0 s:/C=PH/ST=Metro Manila/L=Makati City/O=Metropolitan Bank and Trust Company/OU=CID-ITSAD/CN=IOSG-XRSWEB
   i:/DC=local/DC=mgc/CN=MBTC-ENTCA1
 1 s:/DC=local/DC=mgc/CN=MBTC-ENTCA1
   i:/DC=local/DC=mgc/CN=MGCROOTCA
   ...

I can't find it online, so you'll probably have to contact the bank for it. Once you get your hands on it, make sure its in PEM format and then:

$ openssl s_client -connect www.example.com:443 -tls1 \
  -servername www.example.com -CAfile MGCROOTCA.pem
jww
  • 97,681
  • 90
  • 411
  • 885
  • Got /usr/sfw/bin/openssl s_client -connect hostname:443 -tls1 -servername hostname -CAfile MGCROOTCA.pem unknown option -servername usage: s_client args – Dashing Boy Mar 07 '16 at 07:06
  • Okay after changing it to openssl s_client -connect www.example.com:443 -tls1 -CAfile MGCROOTCA.pem worked but now I got: Verify return code: 7 (certificate signature failure) – Dashing Boy Mar 07 '16 at 07:45
  • *"... unknown option -servername usage: s_client args"* - it sounds like you are using a really old version of OpenSSL. Maybe you should install an updated version of the library in `/usr/local/ssl`, and then create a shell script that forwards calls to `openssl` to the one found in `/usr/local/ssl/bin/openssl`. See, for example, [Where does mysql_ssl_rsa_setup get OpenSSL files?](http://stackoverflow.com/a/35834957/608639) – jww Mar 07 '16 at 18:00
  • How can I update the library, can you please provide me with a script? – Dashing Boy Mar 08 '16 at 11:04